bowler Posted June 14, 2013 Share Posted June 14, 2013 Hi all. On the last episode Mubix showed how he can retrieve a persons private key as it was stored in a sqlite db in the clear. I think it is usually the case that private keys are password protected (or should be). Now in the case that the private key is protected with a lenghty complex password (basically a password generated by a generator) would the private key be of any use to anyone without the associated password that protects it? Thanks. Quote Link to comment Share on other sites More sharing options...
thecommongeek Posted July 21, 2013 Share Posted July 21, 2013 I am running OSX, can I be relatively confident that Mailvelope is a good solution, as long as I am sure that nobody would have physical access to my laptop? Quote Link to comment Share on other sites More sharing options...
mubix Posted August 16, 2013 Share Posted August 16, 2013 Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker. Quote Link to comment Share on other sites More sharing options...
no42 Posted August 18, 2013 Share Posted August 18, 2013 I am running OSX, can I be relatively confident that Mailvelope is a good solution, as long as I am sure that nobody would have physical access to my laptop? If your running OSX, why dont you use https://gpgtools.org ? Works Great! Quote Link to comment Share on other sites More sharing options...
Sitwon Posted August 18, 2013 Share Posted August 18, 2013 Mailvelope is still a good solution on Windows. My only hit on the product was that the developer wasn't using the available encryption in Chrome to encrypt his storage so that an offline attacker couldn't get the keys. And yes your point still holds that if people use a good password then the keys will be useless to the attacker. Let's qualify this. (Sorry, but in the security field EVERYTHING needs to be qualified.) If people use a good password, it will somewhat slowdown the attacker as they will have to brute-force the password before they can make use of the key. With modern technology it's becoming easier and more affordable to massively parallelize and distribute the job. Even in a strictly brute-force scenario, this is eating away at password security. Second, thanks in part to the recent disclosures of large quantities of real-world password examples, the techniques for generating password guesses have been improving as well, which drastically cuts down the search space from a pure brute-force attack to fuzzed variations on common patterns. This is also eating away at password security. You need both a long password, and a password that does not conform closely to a known pattern. Otherwise, like in the rest of the security field, having physical access (or a local copy) makes bypass an inevitable eventuality. But let's put this in context: It's still a hell of a lot safer than plain text. It might not be impenetrable, but at least you're making them work for it. Even if it just buys you a few days, that could be enough to make all the difference. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted September 5, 2013 Share Posted September 5, 2013 This might be a dumb question (my second one today) but, are private keys shared by Chrome if you use Mailvelope? By that I mean, if I mailveloped on my desktop, then logged into a chromebook with my Google password, would my private key be waiting for me there? If so, isn't that kind of a security risk having your private key stored by Google in the cloud? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.